NSA’s EINSTEIN Surveillance Software: A Double-Edged Sword

August 24, 2015

NSA SpyFor some time, the National Security Agency (NSA) has been using a sophisticated software system it developed, called EINSTEIN, for use in its surveillance activities.  The NSA makes EINSTEIN available for private, commercial users.  Until recently, however, potential users in the private sector have been reluctant to accept the NSA’s offer, fearing that use of EINSTEIN could make it easier for the NSA to spy on their systems and content.  Recent massive data security breaches like that affecting the United States Office of Management and Budget have caused a growing number of commercial users to reconsider.  This ambivalence underscores the difficult balance to be struck between security and privacy, and the legal implications of that effort.

EINSTEIN is a software system that continuously monitors operations and content of the computer networks it targets.  The system makes use of a massive collection of information regarding all known computer system threats that has been compiled by the NSA over time.  EINSTEIN is thus the best available computer security monitoring platform as it applies the most comprehensive set of information available regarding known computer network threats.

The expansive scope of EINSTEINs monitoring of computer networks and their content raise substantial concerns in the privacy community.  Critics of EINSTEIN note that the system facilitates collection of massive amounts of data.  That collected data can be stored, analyzed and shared by the NSA.  The system thus potentially poses a major threat to personal privacy.

Several major Internet service providers already reportedly use EINSTEIN to monitor the operations of their networks.  The NSA has encouraged such use.  The ISPs now offer versions of EINSTEIN to their commercial customers.  Many commercial customers were previously reluctant to use EINSTEIN, based in large measure on concern that such use would facilitate NSA spying.

Now that EINSTEIN is already in use in major ISP systems, commercial users are becoming less reluctant to apply EINSTEIN for their own networks.  The OMB and other major data security breaches have also contributed to EINSTEIN’s growing popularity among commercial users.  Although EINSTEIN was unable to block the OMB hack, it was reportedly the first major security system to identify the suspicious system activity which eventually alerted authorities to the breach.

The EINSTEIN situation illustrates a profound truth in the world of computer security.  Those who are in the business of spying on computers and their content are the best positioned to monitor the security of those systems.  This seemingly contradictory situation carries with it an important corollary.  Those who are experienced at challenging computer security systems (hackers) are also best positioned to recommend security improvements.

EINSTEIN shows us that there is a high price to be paid for computer security.  That price is some level of reduced privacy.  We bargain with the devil each time we try to make our computers more secure, potentially losing additional control and privacy with each bargain.  We should always recognize that security is bought not received for free.  We purchase computer security at the expense of some of our own personal freedom.  This is an exchange which should never be taken lightly.